Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Sudden excessive WinEventLog:Security events involving splunkd.exe

nk-1
Path Finder
‎10-01-2017 05:28 PM

Splunk Universal Forwarder is v6.4.x
Splunk Server is v6.5.x

In C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_windows\local\inputs.conf , I have:

[WinEventLog://Security]
disabled = 0
index = wmi

I would normally see about 240 WinEventLog://Security "splunkd.exe" events logged per hour (for weeks).
Suddenly, that number jumped to over 4 million WinEventLog://Security "splunkd.exe" events logged per hour, and my indexing limit was exceeded.

Here's what gets logged:

TIMESTAMP
LogName=Security
SourceName=Microsoft Windows security auditing.
EventCode=5156
EventType=0
Type=Information
ComputerName=HOSTNAME
TaskCategory=Filtering Platform Connection
OpCode=Info
RecordNumber=X
Keywords=Audit Success
Message=The Windows Filtering Platform has permitted a connection.

Application Information:
Process ID: XXX
Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe

Network Information:
Direction: Outbound
Source Address: 10.X.X.X
Source Port: XXX
Destination Address: 172.X.X.X
Destination Port: XXX
Protocol: 6

Filter Information:
Filter Run-Time ID: XXX
Layer Name: Connect
Layer Run-Time ID: X

What could have possibly changed in a Windows machine that suddenly makes it log so much WinEventLog:Security "splunkd.exe" events?

I could set disabled=1, but then I'd lose the ability to track who is logging in/out of that machine.
Is there any way to just omit logging these kind of "Audit Success" / "The Windows Filtering Platform has permitted a connection" events?

Reply
1 Solution
Solved! Jump to solution
Solution

nk-1
Path Finder
‎10-02-2017 05:12 PM

Found an answer right here - http://answers.splunk.com/answers/53422/eventcode-5156.html


auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable

View solution in original post

0 Karma
Reply
Solved! Jump to solution

chanthongphiob
Path Finder
‎05-16-2018 11:54 AM

Did you ever figure out why the "Application Name: \device\harddiskvolume2\program files\splunkuniversalforwarder\bin\splunkd.exe" was making excessive connections to the machine? I have also run into this issue, but would like to know the root cause of excessive connections, and not excessive logs.

0 Karma
Reply
Solved! Jump to solution

nk-1
Path Finder
‎10-03-2017 02:01 PM

The excessive WinEventLog:Security events started the day some updates were pushed to the machine:
Microsoft Security Update for .NET
McAfee product updates (including Firewall update)

Hmm... But it could have been something else that triggered it too.

0 Karma
Reply
Solved! Jump to solution
Solution

nk-1
Path Finder
‎10-02-2017 05:12 PM

Found an answer right here - http://answers.splunk.com/answers/53422/eventcode-5156.html


auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcement

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...